1
/*
2
 * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.
8
 *
9
 * This code is distributed in the hope that it will be useful, but WITHOUT
10
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
12
 * version 2 for more details (a copy is included in the LICENSE file that
13
 * accompanied this code).
14
 *
15
 * You should have received a copy of the GNU General Public License version
16
 * 2 along with this work; if not, write to the Free Software Foundation,
17
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18
 *
19
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20
 * or visit www.oracle.com if you need additional information or have any
21
 * questions.
22
 */
23

24
/*
25
 * @test
26
 * @bug 8206925
27
 * @library /javax/net/ssl/templates
28
 * @summary Support the certificate_authorities extension
29
 */
30
import javax.net.ssl.TrustManager;
31
import javax.net.ssl.TrustManagerFactory;
32
import javax.net.ssl.X509TrustManager;
33
import javax.security.auth.x500.X500Principal;
34
import java.security.KeyStore;
35
import java.security.cert.X509Certificate;
36

37
public class CacertsLimit {
38
    public static void main(String[] args) throws Exception {
39
        for (String algorithm : new String[] {"SunX509", "PKIX"}) {
40
            CacertsLimit.ensureLimit(algorithm);
41
        }
42
    }
43

44
    private static void ensureLimit(String algorithm) throws Exception {
45
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(algorithm);
46
        tmf.init((KeyStore)null);
47
        TrustManager[] tms = tmf.getTrustManagers();
48

49
        if (tms == null || tms.length == 0) {
50
            throw new Exception("No default key store used for trust manager");
51
        }
52

53
        if (!(tms[0] instanceof X509TrustManager)) {
54
            throw new Exception(
55
                "The trust manger is not an instance of X509TrustManager");
56
        }
57

58
        checkLimit(((X509TrustManager)tms[0]).getAcceptedIssuers());
59
    }
60

61
    private static void checkLimit(
62
            X509Certificate[] trustedCerts) throws Exception {
63
        int sizeAccount = 0;
64
        for (X509Certificate cert : trustedCerts) {
65
            X500Principal x500Principal = cert.getSubjectX500Principal();
66
            byte[] encodedPrincipal = x500Principal.getEncoded();
67
            sizeAccount += encodedPrincipal.length;
68
            if (sizeAccount > 0xFFFF) {
69
                throw new Exception(
70
                        "There are too many trusted CAs in cacerts. The " +
71
                        "certificate_authorities extension cannot be used " +
72
                        "for TLS connections.  Please rethink about the size" +
73
                        "of the cacerts, or have a release note for the " +
74
                        "impacted behaviors");
75
            } else if (sizeAccount > 0x4000) {
76
                throw new Exception(
77
                        "There are too many trusted CAs in cacerts. The " +
78
                        "certificate_authorities extension cannot be " +
79
                        "packaged in one TLS record, which would result in " +
80
                        "interoperability issues.  Please rethink about the " +
81
                        "size of the cacerts, or have a release note for " +
82
                        "the impacted behaviors");
83
            }
84
        }
85
    }
86
}
87

88

89